Unfortunate Ruling Says Changing Your IP Address Can Be 'Unauthorized Access' To A Public Website

from the really-now? dept

We've covered for a while why we think Craigslist made a mistake in suing 3taps and Padmapper over scraping of Craigslist data. Of particular concern were the very bad legal precedents this may set, which tend to be completely contrary to Craig Newmark's own stance on internet freedom (of which he's been a strong supporter). Indeed, the legal arguments made by Craigslist are insulting to those who believe in internet freedom and really put Craigslist in a poor light. 3taps and Padmapper were driving more traffic to Craigslist and enhancing the service -- something that lots of sites on the internet do all the time. And yet they're facing very harsh penalties.

While an initial court ruling found that some of Craigslist's wackier theories didn't apply (e.g. violating the terms of service isn't a CFAA violation and the copyright claims concerning Craigslist posts failed), the latest ruling, unfortunately, finds that the combination of a cease-and-desist letter and merely changing your IP addresscreates unauthorized access to a public website. That's troubling on a variety of levels, mostly because changing an IP address isn't any form of "hacking." It's incredibly easy to do, and in many cases happens automatically without any input from users, if they have a dynamic IP address.

Changing your IP address is simply not hacking. That's because masking your IP address is an easy, common thing to do. And there's plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination....

There's a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to "revoke" and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.

Similarly, Orin Kerr, who tends to be more sympathetic about these kinds of cases, finds the use of a mere IP address change to be quite problematic:

Judge Breyer sees IP blocking as sufficient. But it’s unfortunate that Breyer doesn’t give the issue more analysis, as I think it’s a really interesting question. The counterargument runs like this. IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t “block” them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them. It’s a technological barrier in the very short term but not in the long term. Is that enough to constitute a technological barrer?

Judge Breyer’s opinion appears to mix up two different aspects of the CFAA. The first aspect is the prohibition on unauthorized access, and the second is its associated mental state element of intent. The CFAA only prohibits intentional unauthorized access; merely knowingly or recklessly accessing without authorization is not prohibited. So whatever unauthorized access means, the person must be guilty of doing that thing (the act of unauthorized access) intentionally to trigger the statute. Breyer seems to mix up those elements by focusing heavily on the fact that 3taps knew that Craigslist didn’t want 3taps to access its site. According to Judge Breyer, the clear notice meant that the case before him didn’t raise all the notice and vagueness issues that prompted the Ninth Circuit’s decision in Nosal.

I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldn’t make visiting the website an “unauthorized access.” The letter is just a written statement of the owner’s wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.

That's really the key point here. The cease and desist is no different than the terms of service -- and yet it's already been stated that violating the terms isn't a CFAA violation. So the real issue here is the changing of an IP address. And the idea that a mere changing of an IP address opens you up to criminal liability is insane. This is a horrible precedent and one that Craigslist and Craig Newmark should be ashamed of, having brought it into this world for no good reason.

Reader Comments

Is there room for appeal? There are sound arguments to debunk this absurd ip rationale as far as I can see.

If the site is public then it's public and unless there is explicit, identifiable damages a determined party is causing there should be no issues with changing an IP and circumventing an arbitrary block. Sounds like the damages the MAFIAA seeks in copyright cases, they are not proven but hell why not punish some people just for the heck of it?

NO, says that BUSINESS "3taps" can't use someone else's work!

You can stop panicking! Has no obvious application to your personal activities, kids. You are entirely confusing persons with corporations.

But corporations are not persons, don't have any inherent rights, don't have any right to use the products of another corporation, and DEFINITELY not after receiving a cease-and-desist letter! All access is then definitely UNAUTHORIZED and they knew it!Techdirt's motto: The confusion has become so complete that it's beyond correction.

Re: NO, says that BUSINESS "3taps" can't use someone else's work!

A Comcast spokesperson responded to an inquiry we sent to the company’s lawyers: “[I] am replying to let you know that the cease and desist was sent in error, and you may disregard it. We apologize for any confusion this may have caused.”

Except as far as precedence goes, this case is very limited.
The Judge was clear that it was only because they had received the cease and desist letter, along with a few other conditions precedent.

This is akin to trespassing after receiving a trespass notice.
I go to walmat, and am given a letter by management that I may not re-enter the store.
The next week I put on a special tin foil hat which hides my features from the facial recognition security cameras.
Anyone is allowed to walk into Walmart wearing this special helmet. But because I was already told I was not allowed on the premises, I now not only trespassed, but used a device to circumvent to do so.

But just because I understand the decision and can explain why its not as horrible, yeah, it is still bad, and sadly the justice department will do everything it can to enlarge the facts which it covers.

Re: NO, says that BUSINESS "3taps" can't use someone else's work!

While I do agree with you that's probably that way it should be, I don't think our current legal atmosphere shares that view.

...don't have any right to use the products of another corporation...

What "products" are you talking about? You mean the classified ads in Craigslist? The ads that the court refused to give Craigslist copyrights on? Those "products"?

...and DEFINITELY not after receiving a cease-and-desist letter! All access is then definitely UNAUTHORIZED and they knew it!

Jeez, Blue, that's really silly. I mean seriously, think about it. With this ruling Mike could fire off a cease and desist to you, block your IP and if you ever accessed Techdirt from a different computer or your phone or from your work location, then you could criminally liable. You really think that's a good thing?

A lot of the world is guilty

Where I work everything goes through a proxy server. Almost 20,000 of us using the same IP address. When I go from WiFi hotspot to WiFi hotspot I change my IP address. If I leave a WiFi address and go to 3G my IP address changes.

I can understand a more localized ruling, such that if you change your IP address to avoid a C&D order, but generic IP address changing is so common place that the judge himself is probably guilty of it every day and he doesn't know it.

the most troubling thing is that there are still judges sitting on cases that involve the Internet in some way or another and they either dont know a damn thing about what they are ruling on or these particular judges are bing given these cases on purpose, so as to appear dim on the subjects but are in actual fact extremely well versed on the subject and rule intentionally how they do so as to enforce the way the various entertainment industries want things, given how things have been molded in the past.

Anyone who has their IP address dynamically allocated via DHCP, is a felon. Any internet service provider that employs DHCP to assign IP addresses on their network, is guilty of employing a hacking tool, and is also a felon.

Re: Re: NO, says that BUSINESS "3taps" can't use someone else's work!

" With this ruling Mike could fire off a cease and desist to you, block your IP and if you ever accessed Techdirt from a different computer or your phone or from your work location, then you could criminally liable. You really think that's a good thing?"

Re:

Clueless comments on idiotic journalism

You should be ashamed for writing an article purely to generate attention instead of the actual truth. This company clearly violated a judges ruling by using a proxy to accomplish what they had been expressly forbidden from. If you are not able to understood the reality of the case, you should not be reporting on it. For shame.

Enjoy the comments from the idiots who are clueless as the author. Do a bit of research and you'll understand.

Re: Clueless comments on idiotic journalism

You should be ashamed for writing an article purely to generate attention instead of the actual truth. This company clearly violated a judges ruling by using a proxy to accomplish what they had been expressly forbidden from. If you are not able to understood the reality of the case, you should not be reporting on it. For shame.

We've written extensively about legal issues, and the CFAA in particular for years. We've covered this case since the first threats were issued.

The ruling has nothing to do with whether or not 3taps "violated a judges ruling" because this is about whether or not 3taps actions violated a specific *law*, the CFAA.

If you'd care to explain what *FACTS* you think we got wrong, we're happy to hear you out, but the fact that you focus on insults, and don't provide a single fact that we got wrong (instead making statements that are blatantly untrue), I'm not sure you really understand the issues of the case.

Shop-In's

Let's reason by analogy. Suppose you are Target, and you decide to hold a 1960's style "shop-In" at Wal-Mart. You pay a thousand people to go into the local Wal-Mart, all at the same time, and they spend three hours in the store, fingering and disarranging the merchandise. A squad of them make small purchases, say a pack of gum or a candy bar, paying in pennies, with the maximum possible delay, and when they're done that, they go outside, throw the candy in a pickup truck, collect more pennies, and go back in to repeat the cycle. Maybe some of them try to return their candy bars. The practical effect is that the Wal-Mart is generating little or no revenue, and is effectively clogged up, so that the regular customers can't shop there, and are forced to go to Target.

In the 1960, political organizers sometimes used this as a technique of coercion. If you decided that a slum neighborhood needed a Kroger's, a Safeway, an A&P, or whatever, you could take your Shop-In to a store in a posh neighborhood, until the corporate headquarters saw the light and agreed to open a store in the slum neighborhood.

Now, of course, in the Craigslist case, the real issue is "bots" impersonating people, and flooding the system so that people can't get in. The intent is to coerce Craigslist to hand over a full data-feed.

Re: Shop-In's

Except that neither of their original claims suggested 3taps was causing service interruptions or other usability issues. They were founded in claims of copyright infringement and terms of use violation.

Your reason by analogy is based on a faulty analogy. This is more like someone looking through a real estate agent's listings and then telling a friend about places for sale, then sending to the agent to purchase.

Re:

I think you are confused with the example. walmart isnt a public website, they actually do have security and yet some other rules to follow in order to use their stores. On the other hand public websites do not have officers to watch their traffic to block some of them because of any of their activity unless there is some membership to cancel that membership or DDos relative attacks...